Clinical Privacy Pledge

What Data We Collect

We collect only the minimum data necessary to operate the platform and improve clinical outcomes for your clients:

• Account Information: Name, email address, professional role, and subscription tier selected during sign-up.
• Professional Credentials: NPI number and licensing information provided voluntarily for peer-review access. NPI numbers are verified against the public CMS registry.
• Platform Usage Data: Which resources you save, rate, or share; peer-review submissions; content requests and votes. This data is used solely to personalise recommendations and improve the library.
• Expertise Profile (Optional): Clinical specialties and theoretical orientations you self-select to enable targeted peer-review assignment. These are never shared with third parties.
• Session Data: Standard web server logs (IP address, browser type, pages visited) retained for 90 days for security and diagnostics only.
• Terms Acceptance Record: Timestamp and version of the Terms of Service you accepted, retained for compliance purposes.

How We Use Your Data

• Platform Personalisation: Your saved resources and expertise tags are used to surface relevant content and match you to appropriate peer-review assignments.
• Library Improvement: Aggregated, anonymised usage signals help us identify gaps in the resource library and direct the AI Scout and editorial team.
• Compliance & Security: Credential and Terms acceptance records are retained to satisfy professional and legal compliance requirements.
• Communications: We may send transactional emails (password resets, ToS updates, peer-review notifications). You may opt out of non-essential communications at any time from your account settings.

We do not use your data for advertising profiling, behavioural tracking, or any purpose not listed above.

Data Sharing & Third Parties

ResourceNexus does not sell, rent, or share your personal data with third parties for commercial purposes. The only data processors we engage are:

• Supabase: Our database infrastructure provider, used to store account and credential data. Supabase is SOC 2 Type II compliant.
• Payment Processor: Subscription billing is handled by a PCI-DSS compliant processor. ResourceNexus never stores raw card data.
• Google (Gemini API): Resource content is processed by Gemini to generate clinical summaries and AI Scout recommendations. No personal user data is included in Gemini prompts.

All third-party processors are contractually bound to process data only as directed by ResourceNexus and to maintain appropriate security standards.

Data Retention & Deletion

Active account data is retained for the life of your subscription. If you cancel or delete your account, your personal profile data is purged within 30 days. Anonymised, aggregated usage signals (which cannot be traced back to you) may be retained indefinitely to improve the library.

Compliance records (Terms of Service acceptance logs, NPI verification records) are retained for 7 years to satisfy professional regulatory requirements, even after account deletion.

Security Measures

• All data in transit is encrypted with TLS 1.3.
• Passwords are hashed using PBKDF2 with a unique per-user salt; we never store plaintext passwords.
• Access to production data is restricted to a minimal set of authorised personnel.
• NPI verification uses the public CMS registry only — we do not retain raw API responses beyond the verified status flag.
• Session tokens expire after inactivity and are invalidated on logout.

We conduct periodic security reviews. If you discover a security vulnerability, please report it responsibly to [email protected].

Policy Updates

When this Privacy Policy is materially updated, we will notify active subscribers via email and require re-acceptance of the updated Terms (which incorporate this policy) upon next login. The version date at the top of this page reflects the date of the most recent changes.